- Splunk Answers
- :
- Using Splunk
- :
- Splunk Search
- :
- How to build a regular expression that will captur...
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark Topic
- Subscribe to Topic
- Mute Topic
- Printer Friendly Page
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How to build a regular expression that will capture multiple numbers in a field?
my log looks like below and i wanted to know if i could make a single regular expression to extract all xxx-xxx numbers
The following messages were logged on 12/07/16 at 07:52:10.
0420-094: blah blah blah destination.
0423-245: blah blah blah changed.
0420-098: blah blah blah job.
0424-138: blah blah blah.
so if Regex is Number then i would like to see
number
0420-094
0423-245
0420-098
0424-138
or to better understand if i do a stats count by number
number | Count
0420-094 | 1
0423-245 | 1
0420-098 | 1
0424-138 | 1
i know i can do multiple regex's for each one and then coalesce to merge them all, but if there's a better way then why not 🙂
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
How about this?
your search ... | rex "(?<number>[^:]*)" | stats count as Count by number
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Thank you for the response but the regex above will still pick the 1st number that came up in the log, i have a scenario where an event has 2-6 numbers like below but not limited to.
0420-094
0423-245
0420-098
0424-138
i want regex to parse all the values that match the regex, i was looking at MV_ADD option but not sure if that would work.
\n(?.*):
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Sorry, I interpreted your original post to be different log messages.
Is your sourcetype already correctly differentiating your multiline log events? If not, that needs be cleaned up first.
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
If you are doing this at search time, then you would probably want the following in transforms.conf (you would reference the following transform in props.conf as well).
[MVNumber]
REGEX = (\d+-\d+):
FORMAT = Number::$1
MV_ADD = true
And you would want to add the following to fields.conf
[Number]
TOKENIZER = (\d+-\d+):
INDEXED = false
INDEXED_VALUE = true
- Mark as New
- Bookmark Message
- Subscribe to Message
- Mute Message
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
thank you, i will try it out and post the update. thanks a lot
Updated Team Landing Page in Splunk Observability
New! Splunk Observability Search Enhancements for Splunk APM Services/Traces and ...
Webinar Recap | Revolutionizing IT Operations: The Transformative Power of AI and ML ...
